P
US10140477B2ActiveUtilityPatentIndex 33

Obfuscating in memory encryption keys

Assignee: VORMETRIC INCPriority: Dec 9, 2013Filed: Dec 9, 2013Granted: Nov 27, 2018
Est. expiryDec 9, 2033(~7.4 yrs left)· nominal 20-yr term from priority
Inventors:PANDIAN RAMARAJNANDODE ROHANGUPTA RAJESH
G06F 2221/2143G06F 21/79H04L 2209/12G09C 1/00H04L 2209/04H04L 9/0894
33
PatentIndex Score
0
Cited by
23
References
20
Claims

Abstract

A method for obfuscating keys is provided. The method includes identifying that a memory is subject to one of a core dump or an hibernation and overwriting a key in unencrypted form in the memory, responsive to the identifying, wherein at least one method operation is performed by a processor. A system and a computer readable media are also provided.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for obfuscating keys, performed by a processor, the method comprising:
 using a key to perform encryption processing, wherein the key is in unencrypted form; 
 identifying that a system memory is subject to a core dump, wherein the core dump comprises copying the system memory into storage memory to produce an image of the system memory; 
 overwriting, by an agent located in kernel space, the key in unencrypted form at a location in the system memory prior to the copying the system memory into the storage memory, responsive to the identifying, wherein the key is overwritten with a pattern; 
 executing the core dump, wherein the pattern is copied into the image to produce a copy of the pattern in the image of the system memory; 
 copying the image of the system memory back into the system memory; 
 determining, based on detecting the pattern at the location in the system memory, the key in unencrypted form was overwritten in the system memory; 
 obtaining a replacement key, responsive to the determining; and 
 deleting the replacement key in response to determining that the encryption processing is complete. 
 
     
     
       2. The method of  claim 1 , wherein overwriting the key in the system memory includes writing one of a predetermined pattern, or a random pattern. 
     
     
       3. The method of  claim 1 , wherein the obtaining the replacement key further comprises:
 obtaining the replacement key in response to rebooting. 
 
     
     
       4. The method of  claim 1 , wherein overwriting the key in the system memory includes writing data to the system memory that indicates the key is no longer in the system memory. 
     
     
       5. The method of  claim 1 , further comprising:
 decrypting an encrypted key, to produce the key in unencrypted form. 
 
     
     
       6. The method of  claim 1 , further comprising:
 doubly decrypting a doubly encrypted key, to produce the key in unencrypted form. 
 
     
     
       7. The method of  claim 1 , wherein the identifying includes one from a set consisting of:
 calling a subroutine in response to initiation of the core dump; 
 using a hook to an operating system; 
 initiating a thread in response to initiation of the core dump; and 
 passing a parameter in response to initiation of the core dump. 
 
     
     
       8. The method of  claim 1 , wherein the pattern is a predetermined code, flag or indicator. 
     
     
       9. An encryption processing system, comprising:
 a system memory; and 
 at least one agent, operable through a processor coupled to the system memory and located in a kernel space of the encryption processing system, the at least one agent configured to: 
 encrypt and decrypt files or portions thereof; 
 hold an unencrypted key at a location in the system memory, for encrypting and decrypting files; 
 detect, via a hook to an operating system, initiation of a core dump, wherein the core dump comprises copying the system memory into storage memory to produce an image of the system memory; 
 overwrite, with a pattern, the unencrypted key at the location in the system memory prior to the copying the system memory into the storage memory, responsive to defecting the initiation of the core dump; 
 executing the core dump, wherein the pattern is copied into the image to produce a copy of the pattern in the image of the system memory; 
 copying the image of the system memory back into the system memory; 
 detect the pattern at the location in the system memory, as indicating there is no key at the location in the system memory; 
 obtain a replacement key, responsive to the detecting the pattern; and 
 delete the replacement key in response to determining that an encryption processing is complete. 
 
     
     
       10. The encryption processing system of  claim 9 , wherein the unencrypted key in the system memory is overwritten in response to at least one from a set consisting of: a core dump that is about to occur, and a core dump that is begun but not yet completed. 
     
     
       11. The encryption processing system of  claim 9 , wherein:
 the system memory includes random-access memory (RAM); 
 the at least one agent is configured to produce the unencrypted key as a result of a decryption of an encrypted key; and 
 the at least one agent is configured to write the unencrypted key into the RAM, to hold the unencrypted key in the system memory. 
 
     
     
       12. The encryption processing system of  claim 9 , wherein:
 the image of the system memory is stored in the storage memory during the core dump; and 
 the image of the system memory includes data with which the unencrypted key was overwritten. 
 
     
     
       13. The encryption processing system of  claim 9 , wherein the at least one agent is further configured to decrypt a multi-level encrypted key to produce the unencrypted key. 
     
     
       14. The encryption processing system of  claim 9 , wherein the at least one agent is further configured to produce the unencrypted key from an encrypted key, in response to commencement of the encryption processing, the unencrypted key held in the system memory during at least a portion of the encryption processing. 
     
     
       15. The encryption processing system of  claim 9 , wherein the pattern is a predetermined, code, flag or indicator that is detectable to indicate there is no key at the location in the system memory. 
     
     
       16. A tangible, non-transient, computer-readable media having instructions thereupon which, when executed by a processor, cause an agent located in kernel space to perform a method comprising:
 decrypting an encrypted key to produce a decrypted key; 
 applying the decrypted key to encryption processing; 
 detecting, via a hook to an operating system, that a core dump is initiated; 
 writing a pattern over the decrypted key in a location in a system memory, in response to detecting the core dump is initiated, wherein the writing the pattern is prior to copying the system memory into storage memory to produce an image of the system memory for the core dump; 
 executing the core dump, wherein the pattern is copied into the image to produce a copy of the pattern in the image of the system memory; 
 copying the image of the system memory back into the system memory; 
 recognizing the pattern at the location in the system memory as indicating there is no key at the location in the system memory; 
 obtaining a replacement key, responsive to the recognizing; and 
 deleting the replacement key in response to determining that the encryption processing is complete. 
 
     
     
       17. The tangible, non-transient, computer-readable media of  claim 16 , wherein the decrypted key includes an encryption key, and the encryption processing includes encryption using the encryption key. 
     
     
       18. The tangible, non-transient, computer-readable media of  claim 16 , wherein the decrypted key includes a decryption key, and the encryption processing includes decryption using the decryption key. 
     
     
       19. The tangible, non-transient, computer-readable media of  claim 16 , wherein the method further comprises:
 transforming the decrypted key. 
 
     
     
       20. The tangible, non-transient, computer-readable media of  claim 16 , wherein the pattern is a predetermined code, flag or indicator that is interpretable to indicate there is no key at the location in the system memory.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.